Policy | Security | Investigation

January 2009

January 31, 2009

If an institution – any institution – is to maintain its reputation, it must be prepared to investigate the actions of its employees (personnel). Inevitably, allegations will arise that this or that employee embezzled, acted unethically, abused authority, laundered money, executed an unauthorized trade or simply made a mistake. Power to conduct internal investigations is critical to government agencies and for-profit corporations, as well as charity, non-profit, and educational organizations.

Modern investigations today are different from those of the past, by virtue of the presence of digital records. The sheer quantity of e-records (e-mail, text, chat or instant messages, logs, meta-data, photographs, blog comments, surveillance videos, and on and on and on) is mushrooming beyond comprehension. When an institution undertakes to audit whether a superior harassed a subordinate, an accountant misunderstood a tax liability or an administrator wrongfully tolerated a conflict of interest, a brimming corpus of electronic records can be available for examination . . . and can facilitate a just outcome. The records can shed welcome light on whether the subject of the investigation did what is claimed, or did not do it.

A case in point is an investigation at Yale University, a regular recipient of research grants from the federal government. Prosecutors alleged that academics at Yale had misallocated federal money (funds or assets) by (a) transferring grant funds to accounts that were not intended for the grants in question, and (b) paying themselves for summer activities using money from grants not earmarked for those activities.

In other words, the government claimed professors and staff played fast and loose in interpreting the purpose of specific grants.

In the face of such allegations, an institution has no choice but to cooperate with government. (Which university wants to be the subject of an adversarial police raid in search of computer records?) Yale launched a massive investigation, covering some $3 billion in grants over seven years (2000-2006). It turned over more than a million pages of documents. No doubt the massive quantity of records included email and other computer-based records. (A similar corruption probe in the 1980s could not have yielded as many records because computers and e-mail were not as pervasive then.) The college settled the matter in 2008 by agreeing to pay $7.6 million.

Although Yale admitted it had made some errors, the government granted the school a release from further liability with respect to the years that were investigated.

$7.6 million is a relatively small penalty. The university appears to have done itself three favors. First, it had retained plentiful records for many years. Second, it cooperated with the government and divulged rafts of records. Third, when the allegations first arose, Yale instituted reforms preemptively, including tighter accounting controls and improved staff training. The result was the imposition of only a small settlement payment. And as for the future, Yale remains qualified to receive grants from the government.

Had Yale produced fewer records, and displayed less transparency and less cooperation, the institution would not have fared so well.

I’ll bet the “errors” to which Yale admitted reflected past practices that had developed over decades, in an age when records were fewer and therefore government (inspectors general) had less ability to audit or investigate.

The incident teaches Yale staff (and staff at other institutions receiving federal grants) that they will be on a tighter leash for the future. A digital informant is ready to snitch on them. The super-plentiful e-records now being made about their daily activities expose them to greater review and accountability than was historically possible.

January 24, 2009

Electronic Records Had Been Discarded Under Interpretation of Retention Policy

Why Allow Deletion If Government Must Later Restore Records?

A county's formal policy on e-mail destruction failed to save it from the cost of recovering deleted e-mails in a lawsuit under Ohio's Public Records Act. Like FOIA laws in other states, Ohio's Records Act requires state government agencies like counties to disclose records to citizens upon request.

The case in question is a decision by the Ohio Supreme Court, State ex rel. Toledo Blade Co. v. Seneca County Board of Commissioners, 2008 WL 5157733 (Ohio Dec. 9, 2008). Plaintiff sought e-mails of county commissioners concerning demolition of an old courthouse. The county turned over some e-mails, but plaintiff managed to show that some relevant e-mails were missing because they had been deleted. It made this showing by analyzing the e-mails that were turned over and proving some logical gaps appeared within them. Also, some commissioners admitted they had deleted some of their relevant e-mails.

Forensics Reverses Written Policy!

The county's written policy allowed each user to delete e-mail that the user deemed to be of "no significant value." (Some people call such e-mails "non-records".) Such a policy is a version of the make-a-decision style of e-mail (text and instant message) records management, where users are expected to decide the destruction/retention fate of each message.

After the court determined that some relevant e-mails must have been deleted, it observed that through the use of forensics measures some e-mails might be recoverable from commissioner hard drives. The county argued it should not be required to restore deleted e-mails because they had been deleted in accordance with the county's record retention policy, which the county had adopted in good faith. Further, the county argued that forensics measures are excessively expensive.

The court disagreed with the county. The court ordered the county to undertake costly forensics steps to search for and restore deleted e-mail records that met certain criteria – all at the county's expense.

Different Retention Policy Needed

Gadzooks! If a government agency is required under a FOIA to incur great expense to recover deleted e-mails after officials had determined -- under a formally-adopted policy -- that the e-mails were of "no significant value," then it makes no sense to let officials delete e-mails in the first place. Such a make-a-decision style of policy is unworkable because it will cause the government regularly to employ expensive forensics to recover deleted records. As a policy matter, the government is wiser just to archive copious records and take decision-making out of the hands of individual users.

I have long questioned e-mail retention policies (the make-a-decision policies) that emphasize a user examining each particular message and then deciding whether to destroy it or to keep it. But some learned people disagree with me. An argument they sometimes make in favor of the make-a-decision style policy is that it mimics how paper was handled. With paper, they argue, lots of documents came across the desk of each official. The official would decide whether to throw the paper in the trash can, or to place it in folder A, or folder B or folder C.

Yet this Toledo Blade case demonstrates that e-mail is different from paper. Even after e-mail is deleted, it can still be recovered forensically. The cost of recovery can be high, but this court forced government to incur that cost.

Technical footnote: The court ruled the commissioners had probably violated the county's policy by deleting e-mails that were of significant value, when the policy said that only insignificant records would be deleted. However, this detail should not change our understanding of the case's import. From the point of view of someone writing records management policy, the risk is ever-present that a court will second-guess users after-the-fact. Looking back at past decisions, a court can always say, "user should not have allowed that e-mail to be deleted" or "user should have placed that e-mail in retention category X rather than retention category Y." Users always make records management mistakes, and thus leave an enterprise constantly exposed to the threat of having to employ forensics (after-the-fact) to reverse user decisions. Therefore, the policy writer is motivated just to remove users from retention/deletion decisions.

Background: One of the purposes behind Freedom of Information Acts -- and public records acts generally -- is to enable citizens, FBI, police and internal auditors to investigate public officials for fraud, waste, corruption, embezzlement, conflicts of interest and misappropriation of funds. The ever-present possibility of such a probe motivates officials to be fair and honest.

January 11, 2009

Some executives fear that e-mail will come back to haunt them, so they minimize their use of it. And they want corporate e-mail destroyed quickly.

But electronic records came to the rescue of David Stockman, former CEO of bankrupt auto parts maker Collins & Aikman. Stockman and other executives were indicted by prosecutors for alleged lying about the company’s financial condition. Prosecutors apparently based the charges on an investigation by an outside law firm working on behalf the company’s board of directors. Stockman and his co-defendants maintained that they were victims of a rush to justice. They said the law firm and the prosecutors failed to examine all the complex evidence carefully.

They and the government undertook to assemble a database containing 10 million company records, including (no doubt) copious e-mail records. Key topics in the case included C&A's:

* day-to-day internal communications among executives and employees regarding the accounting and invoicing for particular transactions, and

From this massive database, the defendants drew evidence, bit-by-tiny-bit, to tell their side of the story. In a database of this size, the ability to find the right evidence depends much on the careful selection of search methodology and search algorithms. Sometimes the only effective way to comprehend what is in the database is to engage a selective sampling of records.

Eventually the defense prevailed. In an unusual move, the prosecutors withdrew the charges, stating that they had come to reassess the evidence in the case.

In other words, the executives were fortunate that the company retained so many records like e-mail. E-archives exonerated the defendants.

In a putative corporate scandal, the relevant e-mail records can be maddeningly plentiful. A large number of computer-based records is unsurprising in a modern white collar crime investigation or police raid of corporate offices.

In this case, the defendants' legal team patiently mined the company’s email (and other records) to build a convincing case that prosecution was unwarranted.

As the quantity of records in a case swells like this, the ability of parties to review records one-by-one declines. Increasingly the law will favor those who can draw on statistical methods (or linguistic analysis) to tease out the evidence that tells their side of the case.

(David Stockman is most famous as the Ronald Reagan’s budget director in the 1980s.)

–-Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, thought leader in enterprise governance and records management. He also delivers training in cyber defense law at the SANS Institute.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.